You are on page 1of 5

IT Security - 2 Exercise 3 (Buffer Overflows

Tanmaya Mahapatra Matriculation Number : 340959 Bharath Rangaraj Matriculation Number : 340909

Mohibullah Kamal Matriculation Number : 341323 October 31, 2013


Task - 1 : Heap and Stack

Question 1 What is the heap and what is the stack used for ? Solution: The stack is the memory set aside as scratch space for a thread of execution. When a function is called, a block is reserved on the top of the stack for local variables and some bookkeeping data. When that function returns, the block becomes unused and can be used the next time a function is called. The stack is always reserved in a LIFO order; the most recently reserved block is always the next block to be freed. This makes it really simple to keep track of the stack; freeing a block from the stack is nothing more than adjusting one pointer. The heap is memory set aside for dynamic allocation. Unlike the stack, there’s no enforced pattern to the allocation and deallocation of blocks from the heap; you can allocate a block at any time and free it at any time. This makes it much more complex to keep track of which parts of the heap are allocated or free at any given time; there are many custom heap allocators available to tune heap performance for different usage patterns. Each thread gets a stack, while there’s typically only one heap for the application (although it isn’t uncommon to have multiple heaps for different types of allocation). Question 2 Where are stack and heap located in memory, in which direction do they grow (on the x86 architecture) ?


g. in general. The canonical heap overflow technique overwrites dynamic memory allocation linkage (such as malloc meta data) and uses the resulting pointer exchange to overwrite a program function pointer. since it may contain many allocation and deallocation holes. overruns the buffer’s boundary and overwrites adjacent memory. growing and shrinking it as necessary. but rather a pool of pages that are dynamically allocated from user space memory. This includes the automatic variables of C. IBM/390) there is no real hardware stack at all. Because they usually have to share the same address space. and it may include the return address and other registers saved when a function is called.Solution: The stack is typically stored in the “low” addresses of memory and fills upward toward its upper limit. The stack is an area of memory set aside for local variables which are allocated when a function is called and which are de-allocated when that function returns. The Buffer overflow techniques are mainly targeted on Stack and Heap because : • The Text Segment is Read only. 1. so it is better to think of it as a loose collection of pages than as a LIFO-stack type structure. Thus the Heap is prone to Buffer overflow attacks. This is a special case of violation of memory safety. Page 2 . grow in any direction. The heap is typically stored at the “top” of the address space and grows toward the stack. giving that “grow down-grow up” behavior. 2. the stack grows up instead of down. So the Buffer Overflow attacks target on Stack and Heap portion of the Executable program Segments. No alterations can be done. stack boundary • Heap and stack shrink and grow dynamically during program execution. The heap can. Exploitation is performed by corrupting this data in specific ways to cause the application to overwrite internal structures such as linked list pointers. If by buffer overflow these return addresses are manipulated then we can execute arbitrary code without any problems. But most heap implementations expand their space usage within a predetermined address range. Some systems (some HP systems. for example). Question 3 Why do buffer overflow attacks always depend on heap or stack memory ? Solution: By Buffer overflow we mean that a program while writing data to a buffer. and as a convenience they each begin on one end of the address space. Memory on the heap is dynamically allocated by the application at run-time and typically contains program data. And on other systems (e. • Data Segment : Cant change return address : Systems prevent crossing data.. Then they grow towards each other.

Nowadays. It is called a “shellcode” because it starts a command shell from which the attacker can typically control the system. Solution: Download and execute shellcode Download and execute is a type of remote shellcode that downloads and executes some form of malware on the target system. Omelette shellcode A small piece of shellcode written in assembler that can scan the user-land address space for small blocks of memory (”eggs”) and recombine the eggs into one large block. A shellcode may be used as an exploit payload. When done. Question 2 Name at least 2 types of shellcodes and briefly describe their benefits. save it to disk and execute it. providing a hacker or attacker with command line access to a computer system. Shellcodes are generally used in : • shellcodes are used to exploit codes directly in the stack or other parts of the memory. Page 3 .2 Task . but rather instructs the machine to download a certain executable file off the network. we need assembly codes that represent a raw set of machine instructions of the target machines. • Shellcodes exploit stack or heap based buffer overflow vulnerabilities or format string attack. Benefits include: • The code is smaller as that it does not require the shellcode to spawn a new process on the target system.2 : Shellcode Question 1 What is a shellcode and where is it used within the process of exploitation ? Solution: Shellcode is a small piece of code written in assembly level language which is used as a payload for the exploitation of vulnerabilities. which deal with binary. it is commonly used in drive-by download attacks. • It contain an encoded copy of the executable which it can decode and write to the disc and it can also download copies of encoded executables from the attackers web site. the large block is executed. This type of shellcode does not spawn a shell. Benefits Include: • i) This is useful when you can only insert small blocks at random locations into a process and not one contiguous large block containing your shellcode in one piece: this code will recombine the eggs to create your shellcode in the process and execute it. • Shellcode does not need code to clean up the targeted process as this can be done by the library loaded into the process. • Shellcode is used to spawn a (root) shell because it will give us the highest privilege. where a victim visits a malicious webpage that in turn attempts to run such a download and execute shellcode in order to install software on the victim’s machine.

Once vulnerability is detected on a system it can be exploited with the help of a shell code but the problem arises when we want to find the most suitable and effective shellcode because the target machine architecture. 3 Task . What problem arises when you are looking for a suitable shellcode ? What could you do to make your life easier ? Solution: 1. If the return address is overwritten with any address within the no operation region of the buffer it will slide down the NOPs until it is redirected to the actual malicious code by the jump at the end. the code behaves differently for different platforms and executes the right part of the shellcode for the platform it is running on.3 : NOPs Question 1 How can an attacker use NOPs to increase his chances for success in a buffer overflow attack ? Solution: An attacker in a buffer overflow attack scenario does not have to know the precise starting address of code because he/she can exploit the fact that the code is much smaller than the space between the buffer therefore he/she can place code near the end of the buffer by padding the memory area before it with no operations (NOP) instructions. a web-browser).g. Question 2 How hard is the detection of this technique ? Solution: The detection only occurs when the designated address is in between the NOP sled where by the attacker guess can differ from the actual buffer address by half the size of the NOP sled. As these instructions do nothing the attacker can designate the return address used to enter this code at a location somewhere in the run of NOPs which is known as the NOP sled. many consecutive NOPs. Question 3 How can an attacker avoid detection while using the same principle ? Page 4 . operating system and the service pack is unknown. Life can me made easier by creating multiple versions of the shellcode that target the various platforms and creating a header that branches to the correct version for the platform the code is running on.Question 3 Consider the following scenario: You have found an exploitable vulnerability for a platformindependent software (e. 2. a computer processing unit (CPU) instruction which tells the CPU to do nothing. Since the shellcode is not unique for all machines we need to know the specifics of the machine for a successful attack. When executed.

Attacker cant guess what the value of canary will be.Solution: 4 Task . which makes buffer overflow much harder. Question 2 What is the underlying problem (besides missed bound checking) that makes it possible to execute shellcode from within a buffer that is filled with (benign) data during regular program execution ? Which mitigation technique tries to solve this problem ? Solution: Question 3 Which mitigation technique tries to make the prediction of memory addresses harder ? Solution: Address Space layout Randomization (ASLR).4 : Exploit Mitigation Techniques Question 1 What are mitigation techniques and what are they good for? Solution: • ASLR: Attacker does not know address of executable code. an operating system shuffles up all the location addresses for an application as well as all the supporting libraries surrounding the application. the only choice left with the attacker is to predict addresses. 2. • Stack Canaries. newline. EOF String functions like strcpy wont copy beyond “\0”. Therefore. Choose random canary string on program start. Page 5 . linefeed. 2 types are used : 1. Terminator canary: any termination symbol for C string library functions such as “\0”.